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ABSTRACT 



An elliptic curve encryption system represents coordinates 
of a point on the curve as a vector of binary digits in a 
normal basis representation in F 2 «. A key is generated from 
multiple additions of one or more points in a finite field. 
Inverses of values are computed using a finite field multi- 
plier and successive exponentiations. A key is represented as 
the coordinates of a point on the curve and key transfer may 
be accomplished with the transmission of only one coordi- 
nate and identifying information of the second. An encryp- 
tion protocol using one of the coordinates and a further 
function of that coordinate is also described. 

52 Claims, 5 Drawing Sheets 



TRANSMITTER 



16 



16 



c 



r 

ENCRYPT 
DECRYPT 




i 

ENCRYPT 
DECRYPT 













c 



:> 



RECEIVER 



10 



12 



05/11/2004, EAST Version: 1.4.1 



6,141,420 

Page 2 



OTHER PUBLICATIONS 

Koblitz, "Elliptic Curve Cryptosystems", Mathematics of 
Computation, vol. 48, No. 177 (Jan. 1987), pp. 203-209. 

Menezes, Alfred, "Elliptic Curve Cryptosystems", a thesis 
presented to the Univ. of Waterloo (1992), pp. 1-93. 



Miller, Victor C, "Use of Elliptic Curves in Cryptography", 
Crypto '85, LNCS 218, Springer \fertag (1985), pp. 
417-426. 

Menezes et al., "The implementation of Elliptic Curve 
Cryptosystems", Advances in Cryptology-Auscrypt '90, 
vol. 453 of "Lecture Notes in Computer Science", pp. 1-12 
Sydney, Australia, Jan. 8-11, 1990. 



05/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Oct 31, 2000 



Sheet 1 of 5 



6,141,420 




eg 




CD 
LL 





05/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Oct 31, 2000 



Sheet 2 of 5 



6,141,420 



CM 
CD 




05/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Oct. 31, 2000 Sheet 3 of 5 



6,141,420 



50a 



50b 



50m 



I 



50a 



46 



ii u 



50b 



50m 



I 



,1 

> 50a 

H 1 


1 




i 


i 

50m 




-})- 





44" 




-X- _ 



J 



INSTRUCTION 
REGISTER 



FIG. 3 



05/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Oct 31, 2000 



Sheet 4 of § 



6,141, 



LOAD 


42 


WITH 


X 



m 

CYCLIC 
SHIFT 
42 

m 

LOAD 42 
INTO LL 



I 



CYCLIC 




SHIFT 




42 








MULTIPLY 




42 & 44 


n 


BY ROTATING 




BIT VECTORS 




i 




TRANSFER 




46 TO 44 





REPEAT 
G-2 
TIMES 



I 

OUTPUT 8 
AFTER G-2 REPTN. 

FIG. U 



05/11/2004, EAST Version: 1.4.1 



U.S. Patent Oct 31, 2000 Sheet 5 of 5 



6,141,420 



LOAD X 
TO 42 



CYCLIC 
SHIFT 



COPY TO 
RAM 



COMPUTE 
INVERSE 



LOAD x; 2 



IN 44 



LOAD B 
IN 42 



MULTIPLY 
42 & 44 



X OR 

46 
WITH 
X 2 



STORE IN 
RAM 



FIG. 5 



05/11/2004, EAST Version: 1.4.1 



6,141,- 

1 

ELLIPTIC CURVE ENCRYPTION SYSTEMS 

This is a continuation of PCT/CA95/00452, filed on Jul. 
31, 1995, which is a continuation-in-part of Ser. No. 08/282, 
263, filed on Jul. 29, 1994, now abandoned. 5 

FIELD OF THE INVENTION 

The present invention relates to public key cryptography. 

The increasing use and sophistication of data transmission 
in such fields as telecommunications, networking, cellular 10 
communication, wireless communications, "smart card" 
applications, audio-visual and video communications has 
led to an increasing need for systems that permit data 
encryption, authentication and verification. 

It is well known that data can be encrypted by utilizing a 
pair of keys, one of which is public and one of which is 
private. The keys are mathematically related such that data 
encrypted with the public key may only be decrypted with 
the private key and conversely, data encrypted with the ^ 
private key can only be decrypted with the public key. In this 
way, the public key of a recipient may be made available so 
that data intended for that recipient may be encrypted with 
the public key and only decrypted by the recipient's private 
key, or conversely, encrypted data sent can be verified as ^ 
authentic when decrypted with the sender's public key. 

The most well known and accepted public key crypto- 
systems are those based on integer factorization and discrete 
logarithms in finite groups. In particular, the RSA system for 
modulus n=p q where p and q are primes, the Difne-Hellman 30 
key exchange and the ElGamal protocol in Zp, (p a prime) 
have been implemented worldwide. 

The RSA encryption scheme, where two primes p and q 
are multiplied to provide a modulus n, is based on the integer 
factorization problem. The public key e and private key d are 35 
related such that their product e*d equals l(mod <|>) where 
<|)=(p— 1) (q-1). A message M is encrypted by exponentiating 
it with the private key e to the modulus n, [C-M c (mod "n)] 
and decrypted by exponentiating with the public key mod n 
[M-C*(mod n)]. This technique requires the transmission of 40 
the modulus n and the public key and the security of the 
system is based on the difficulty of factoring a large number 
that has no relatively small factors. Accordingly both p and 
q must be relatively large primes. 

One disadvantage of this system is that p and g must be 45 
relatively large (at least 512 bits) to attain an adequate level 
of security. With the RSA protocol this results in a 1024 bit 
modulus and a 512 bit public key which require significant 
bandwidth and storage capabilities. For this reason research- 
ers have looked for public key schemes which reduce the 50 
size of the public key. Moreover, recent advances in ana- 
lytical techniques and associated algorithms have rendered 
the RSA encryption scheme potentially vulnerable and 
accordingly raised concerns about the security of such 
schemes. This implies that larger primes, and therefore a 55 
larger modulus, need to be employed in order to maintain an 
acceptable level of security. This in turn increases the 
bandwidth and storage requirements for the implementation 
of such a scheme. 

Since the introduction of the concept of public key 60 
cryptography by Diffie and Hellman in 1976, the potential 
for the use of the discrete logarithm problem in public key 
cryptosystems has been recognized. In 1985, ElGamal 
described an explicit methodology for using this problem to 
implement a fully functional public key cryptosystem, 65 
including digital signatures. This methodology has been 
refined and incorporated with various protocols to meet a 



2 

variety of applications, and one of its extensions forms the 
basis for a proposed U.S. digital signature standard (DSS). 
Although the discrete logarithm problem, as first employed 
by Diffie and Hellman in their public key exchange 
algorithm, referred explicitly to the problem of finding 
logarithms with respect to a primitive element in the mul- 
tiplicative group of the field of integers modulo a prime p, 
this idea can be extended to arbitrary groups (with the 
difficulty of the problem apparently varying with the repre- 
sentation of the group). 

The discrete logarithm problem assumes that G is a finite 
group, and a and b are elements of C. Then the discrete 
logarithm problem for G is to determine a value x (when it 
exists) such that a x -b. The value for x is called a logarithm 
of b to the base of a, and is denoted by log a b. 

The difficulty of determining this quantity depends on the 
representation of G. For example, if the abstract cyclic group 
of order m is represented in the form of the integers modulo 
m, then the solution to the discrete logarithm problem 
reduces to the extended Euclidean algorithm, which is 
relatively easy to solve. However, the problem is made much 
more difficult if m+1 is a prime, and the group is represented 
in the form of the multiplicative group of the finite field 
F m+1 . This is because the computations must be performed 
according to the special calculations required for operating 
in finite fields. 

It is also known that by using computations in a finite field 
whose members lie on an elliptic curve, that is by defining 
a group structure G on the solutions of y 2 +xy=x 3 +ax 2 +b 
over a finite field, the problem is again made much more 
difficult because of the attributes of elliptic curves. 
Therefore, it is possible to attain an increased level of 
security for a given size of key. Alternatively a reduced key 
may be used to maintain a required degree of security. 

The inherent security provided by the use of elliptic 
curves is derived from the characteristic that an addition of 
two points on the curve can be defined as a further point that 
itself lies on the curve. Likewise the result of the addition of 
a point to itself will result in another point on the curve. 
Therefore, by selecting a starting point on the curve and 
multiplying it by an integer, a new point is obtained that lies 
on the curve. This means that where P-(x,y) is a point on an 
elliptic curve over a finite field [E(F^)] 7 with x and y each 
represented by a vector of n elements then, for any other 
point Rc<P> (the subgroup generated by P), dP=R. To attack 
such a scheme, the task is to determine an efficient method 
to find an integer d, Oid^(order of P)-l such that dP=R. 
To break such a scheme, the best algorithms known to date 
have running times no better than O(^p), where p is the 
largest prime dividing the order of the curve (the number of 
points on the curve). 

Thus, in a cryptographic system where the integer d 
remains secret, the difficulty of determining d can be 
exploited. 

An ElGamal protocol of key exchange based on elliptic 
curves takes advantage of this characteristic in its definition 
of private and public keys. Such an ElGamal protocol 
operates as follows: 

1. In order to set up the protocol, where a message is to 
be sent from A to B, an elliptic curve must be selected and 
a point P«( x »y)> known as the generating point, must be 
selected. 

Encryption 

2. The receiver, B, then picks a random integer d as his 
private key. He then computes dP, which is another point on 
the curve, which becomes his public key that is made 
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available to the sender and the public. Although the sender i) The set of all solutions to the equation y^+ay-x^bx+c 

knows the value dP, due to the characteristic of elliptic where a,b,ceF^, a*0, together with a special point called the 

curves noted above, he has great difficulty determining the point at infinity 0 is a supersingular curve over ¥ q . 

private key d. ") Th e set of all solutions to the equation y 2 +xy«»x 3 + 

3. The sender A, chooses another random integer k, the s ax*+b where a^tF^, b*0, together with a special point called 
session seed, and computes another point on the curve, kP the P°** * ° 15 a nonsupersmgular curve over F q . 
which serves as a public session key. This also exploits the L Bv definm S . aD appropriate addition on these points, we 
characteristic of elliptic curves mentioned above. ^tain an additive abelian group. The addation of two pom* 

4. TTie sender, A, then retrieves the public key dP of P (.^'^ and Q(x^ for the supersmgular elliptic curve E 

r, j 4 i jn * * .u „ with y 2 +ay=x 3 +bx+c is given by the following: 

receiver B and computes kdP, another point on the curve, 10 [f p«fc, y VE* then define 

which serves as the shared encryption key for that session. p=(x y +a) P+0=0+P=P for all PeE 

5. The sender, A then encrypts the message M with the ~ ^ eE and Q*-P, then the point representing the 
encryption key to oM siim of P + Q, is denoted (x 3 , y3 ), where 

6. The sender then sends the public session key kP and the 3 J ^ 
ciphertext C to the receiver B. is 2 

Decryption ^{f- — — ) ©*i©*2 (P*Q) or 

7. The receiver, B, determines the encryption key kdP by " Xi ' 
multiplying his private key d by kP. ( x \ ©fr 1 

8. The receiver, B, can then retrieve the message M by *> = | — ~ (/>= Q) ™ d 
decrypting the ciphertext C with the encryption key kdP. 20 

During the entire exchange, the private key d and the seed ^ = U yi ® y2 ) {Xl ©* 3) © yi © a {P * q) or 

key k remain secret so that even if an interloper intercepts ©** ' 

the session key kP he cannot derive the encryption key kdP g ef v 

from B's pubhc key dP. >3 = | <*i ® x >) © yi ® a ( p = fl) 

Elliptic curve cryptosystems can thus be implemented 25 
employing public and private keys and using the ElGamal 

protocol. The addition of two points PCx,^) and QfeyJ for the 

The elliptic curve cryptography method has a number of nonsupersingular elliptic curve y 2 +xy=x 3 +ax 2 +b is given by 

benefits. First, each person can define his own elliptic curve the following: 

for encryption and decryption, which gives rise to increased 30 [f P=(x I ,y 1 ) eE then define -P=( x i> yi +x i)- For a11 PeE > 

security. If the private key security is compromised, the 0+P=P+0=P. If Q=(x 2 ,y 2 ) eE and O-P, then P+Q is a point 

elliptic curve can be easily redefined and new public and (x 3 ,y 3 ) where 
private keys can be generated to return to a secure system. 

In addition, to decrypt data encoded with the method, only /, yi $ y2 o yj 

the parameters for the elliptic curve and the session key need 35 = { Ui®^ J ® Xj ®x z ® Xl BXl ® a (P * Q) ° r 
be transmitted. 

One of the drawbacks of other public key systems is the * 3 = j* 2 ©—(/>= Q) and 

large bandwidth and storage requirements for the public I A 

keys. The implementation of a public key system using r(yi®yi\ 

elliptic curves reduces the bandwidth and storage require- 40 ^ = \[^^'J (jCl e * 3) C^fi) or 
ments of the public key system because the parameters can 

be stored in fewer bits. Until now, however, such a scheme yi = {*? ©Ui © — J *3 ©*3 C* = Q) 
was considered impractical due to the computational diffi- 
culties involved and the requirement for high speed calcu- 
lations. The computation of kP, dP and kdP used in a key 45 Accordingly it can be seen that computing the sum of two 
exchange protocol require complex calculations due to the points on E requires several multiplications, additions, and 
mathematics involved in adding points in elliptic curve inverses in the underlying field F q . In turn, each of these 
fields. operations requires a sequence of elementary bit operations. 

Computations on an elliptic curve are performed accord- When implementing an ElGamal or Diffie-Hellman 

ing to a well known set of relationships. If K defines any 50 scheme with elliptic curves, one is required to compute 

field, then an equation of the form y 2 +a 1 xy+a 3 y«x 3 +a 2 x 2 + kP=P+P+ . . . +P (P added k times) where k is a positive 

a 4 x+a 6 , where each of the coefficients a- lie in K, defines an integer and PeE. This requires the computation of (x 3 ,y^) to 

elliptic curve over K. If E is the set of points on this curve, be computed k-1 times. Even if alternative techniques such 

then an abelian group can be defined on the set EU{0}, as "double and add" are utilised, it is still necessary to 

where O is a special element not occurring in E. O acts as 55 compute the addition of two points several times, each of 

the zero element of the group. If P-(x,y), then -P-(x,-y) in which requires multiplications, additions and inverses in the 

the case of an odd characteristic, and for two points P and Q underlying finite field. For large values of k which are 

on the curve where Q*±P, the sum P+Q is the third point on typically necessary in cryptographic applications, this has 

the curve where the line joining P and Q again meets the previously been considered impractical for data communi- 

curve. If P=Q, then the tangent line is used. As in any abelian 60 cation. 

group, we use the notation nP to denote P added to itself n It is an object of the present invention to provide a method 

times if n is positive, and -P added to itself |n| times if n is of encryption utilizing elliptic curves that facilitates the 

negative, and 0P=O. computation of additions of points while providing an 

If F q is a finite field, then elliptic curves over F^ can be adequate level of security in an efficient and effective 

divided into two classes, namely supersingular and non- 65 manner. 

supersingular curves. If F q is of characteristic 2, i.e. g=2 M , The applicants have developed a method using a modified 

then the classes are defined as follows. version of the DifEe-Hellman and ElGamal protocols 



05/11/2004, EAST Version: 1.4.1 



6,141,420 

5 6 

defined in the group associated with the points on an elliptic To assist in the appreciation of the implementation of the 

curve over a finite field. The method involves formulating present invention , it is believed that a review of the 

the elliptic curve calculations so as to make elliptic curve underlying principles of finite field operations is appropriate, 

cryptography efficient, practical and viable, and preferably The finite field F 2 is the number system in which the only 

employs the use of finite field processor such as the Com- S elements are the binary numbers 0 and 1 and in which the 

putational Method and Apparatus for Finite Field Multipli- "lies of Mtion multiplication are the following: 

cation as disclosed in U.S. Pat. No. 4,745,568. The preferred 0+0=1+1=0 

method exploits the strengths of such a processor with its 0+1-1+0-1 

computational abilities in finite fields. The inventive method 0x0=1x0=0x1=0 

structures the elliptic curve calculations as finite field mul- 10 1x1=1 

tiplication and exponentiation over the field F^. In the These rules are commonly called moduIo-2 arithmetic. All 

preferred method, a normal basis representation of the finite additions specified in logic expressions or by adders in this 

field is selected and the calculations which can readily be application are performed modulo-2 as an XOR operation, 

performed on a finite field processor. Furthermore, multiplication is implemented with logical 

The inventors have recognized that the computations 15 gates, 

necessary to implement the elliptic curve calculations can be ^ fimte field F 2-> where m 15 an inte S er g reater ^an 

performed efficiently where a finite field of characteristic 2 * the number svstem in whlch mere are dements and in 

is chosen which the rules of addition and multiplication correspond to 

When computing in a field of characteristic 2, i.e. F^, arithmetic modulo an irreducible polynomial of degree m 
squaring is a linear operation, i.e. (A+B) 2 is A 2 +B 2 By 20 ™ ih coefficients m F 2 . Although m an abstract sense there is 
adapting appropriate representations, the computation of the for each m om y one fleld ^e complexity of the logic 
squared terms required in the addition of two points is rec l uired t0 P erform operations in F 2 - depends strongly on 
greatly simplified. In particular, if a normal basis represen- particular way in which the field elements are repu- 
tation is chosen, squaring can be achieved through a cyclic scntcd - operations may be performed using processors 
shift of the binary vector representing the field element to be 25 implemented in either hardware or software with dedicated 
squared hardware processors generally considered faster. 

Moreover, computing inverses in F 2 . can be implemented ^ conventional approach to operations performed in F 2 - 

with simple shift and XOR operations by selection of an * described in such papers as T. Bartee and D. Schneider, 

appropriate representation. In some implementations, the "Computation with Finite Fields", Information and Control, 

computation of an inverse can be arranged to utilize multiple 30 ™- 6 > PP- 79 " 98 ' 1963 - In conventional approach, one 

squaring operations and thereby improve the efficiency of flrst chooses a polynomial P(X) of degree m which is 

the computation irreducible over F 2 «, that is, P(X) has binary coefficients but 

When such computations are performed using a normal cannot be fac,ored Mo a P roduct of polynomials with binary 

basis representation of the finite field, the inventors have coefficients each of whose degree is less than m. An element 

also recognized that the elliptic curve calculations are fur- 35 A m is men defined to be a root of P(X), that is, to satisfy 

ther simplified with the computations presented in this form, P ( A )=°- ™* fac < < ha <; P W is "reducible guarantees that the 

the applicants have realized that specialized semiconductor m elements A =1, A, A A " of F 2 . are linearly 

devices can be fabricated to perform the calculations. With independent over F 2 . 

the calculations presented in such a form, additions in the F° r ,he Ptoses of 'Uustration the example of F 2 > will be 

field Fy. can be efficiently performed in one clock cycle 40 used ^ me cholce of P ( X )= X +X+1 for me irreducible 

utilizing a simple XOR operation. polynomial of degree 3. The next step is to define A as an 

Multiplications can be performed very efficiently in only element of F 2 3 such that A +A+1-0. The following assign- 

n clock cycles where n is the number of bits being multi- ment of unit vectors is then made: 
plied. Furthermore, squaring can be efficiently performed in 

A°=1=[1,0,0] 

1 clock cycle as a cyclic shift of the bit register. Finally, 45 A -[0,1,0] 

inverses can easily be computed, requiring approximately A 2 =[0,0,1] 

log 2 n multiplications rather than the approximately 2n mul- An arbitrary element B of F 2 , is now represented by the 

tiplications required in other arithmetic systems. binary vector [b 2 , b lf b 0 ] with the meaning that B«=[b 2 , bj, 

The inventors have also recognized that the bandwidth b 0 ]=b 2 A 2 +b 1 A+b 0 . 

and storage requirements of a cryptographic system utilizing 50 If we represent a second element C^c^, c 2 , Cq], it follows 

elliptic curves can be significantly reduced where for any that B+C=[b 2 ©C2, b^c lf b 0 ®c 0 ]. 

point P(x,y) on the curve, only the x coordinate and one bit Thus, in the conventional approach, addition in F 2 3 is 

of the y coordinate need be stored and transmitted, since the easily performed by logic that merely forms the modulo-2 

one bit will indicate which of the two possible solutions is sum of the two vectors representing the elements to be 

the second coordinate. 55 summed component-by-component. Multiplication is, 

The inventors have also recognized when using the ElGa- however, considerably more complex to implement, 

mal protocol that messages need not be points on the curve Continuing the example, from the irreducible polynomial 

if the protocol is modified such that the message M is it can be seen that A 3 =A+1 and A 4 =A 2 +A where use has 

considered as a pair of field elements M a M 2 and each is been made of the fact that -1=+1 in F(2). In hardware, 

operated on by the coordinates (xjv) of the session encryp- 60 multiplication can be simplified by taking advantage of the 

tion key kdP in a predetermined manner to produce new field special feature of a finite field F 2 « that there always exists a 

elements CjC^ that represent the ciphertext C. The receiver so-called norma] basis for the finite field. That is, one can 

can then extract the message M^m^mJ by applying the always find a field element N such that N, N 2 , N 4 , . . N 2 ™" 1 

inverse transformation of the predetermined manner. are a basis for F 2 «. Every field element B can be uniquely 

Although this may require an inverse operation in the field, 65 written as B-b m _ 1 N 2m-1 + . . . +b 2 N 4 +b 1 N 2 +b 0 

they may be performed efficiently in the field F 2 «5, and in N«=[b m _!, . . . , b 2 ,b 1 ,b 0 ] where b 0 , bj,b 2 , . . . b m _, are binary 

particular when operating with the processor noted above. digits. 
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FIG. 1 is a diagram of the transmission of an encrypted 
message from one location to another, 

FIG. 2 is a diagram of an encryption module used with the 
communication system of FIG. 1, 

FIG. 3 is a diagram of a finite field processor used in the 
encryption and decryption module of FIG. 2. 

FIG. 4 is a flow chart showing movement of the elements 
through the processor of FIG. 3 in computing an inverse 
function. 

FIG. 5 is a flow chart showing movement of elements 
through the processor of FIG. 3 to compute the addition of 
two points. 

An embodiment of the invention will first be described 
Then, if B-[b,„_i, . . . ,b 2 ,b 1 ,b 0 ] and C-fc,^, . . . ^ is utilising an ElGamal key exchange protocol and a Galois 
c 1 ,c 0 ] are any two elements of F 2 « in normal basis field F 2 «5 to explain the underlying principles. Further 
representation, then the product D=»BxC=fd„_ 1 . . . , d^d^dj refinements will then be described, 
has the property that the same logic circuitry which when 

applied to the components or binary digits of the vectors SYSTEM COMPONENTS 

representing B and C produces d will sequentially pro- 2Q Rcfc ^ F]Q & m M is to be 

rodu^ transferred from a tr^ 

shifts of the vectors representing B and C. communication channel 14. Each of the transmitters 10 and 

As illustrated in U.S. Pat. No. 4,745,568 for Computa- receiver 12 has aa encryption/decryption module 16 asso- 

tional Method and Apparatus for Finite Field Multiplication, ciated therewith to implement a key exchange protocol and 

multiplication may be implemented by storing bit vectors B 25 an encryption/decryption algorithm. 

and C in respective shift registers and establishing connec- The module 16 is shown schematically in FIG. 2 and 

tions to respective accumulating cells such that a grouped includes an arithmetic unit 20 to perform the computations 

term of each of the expressions d, is generated in respective in the key exchange and generation. A private key register 22 

ones of m accumulating cells. By rotating the bit vectors B contains a private key, d, generated as a 155 bit data string 

and C in the shift registers and by rotating the contents of the 30 £ rom a random number generator 24, and used to generate a 

accumulating cells, each grouped term of a respective binary public key stored m a pu blic key register 26. A base point 

digit d; is accumulated in successive cells. Thus all of the reg ister 28 contains the coordinates of a base point P that lies 

binary digits of the product vector are generated simulta- fn me eUi Uc curye x}sctod with each coordinate (x, y), 

neously in the accumulating cells after one complete rotation represerited ^ a 155 bit data string. Each of the data strings 

of the bit vectors B and C. 35 ^ a yector of bi dj i{& ^ each di ^ t bein the 

One attnbute of operating such a processor * that m the ' * in ^ nonnal 

field F-,»>, is that squaring is a linear operation in the sense , t . r iL , 

iL . c 2 • r i z. « r> j p c /r> , n\i t>2 . basis representation of the coordinate, 

that for every pair of elements B and C in F 2 -, (B+C) =B + ^ 

C 2 It is the case for every element B of F^ that W =B. The elliptic curve selected will have the general form 
In particular in a normal basis representation, squaring an 4Q y 2 +xy=x 3 +ax 2 +b and the parameters of that curve, namely 

element involves a cyclic shift of the vectors representation the coefficients a and b are stored in a parameter register 30. 

of the element, i.e. if B^b^.,, . . . .b^b,,^] then B 2 =[b m _ 2 , The contents of registers 22, 24, 26, 28, 30 may be trans- 

. . . ,b 2 , b^bo, b m _ } ]. ferred to the arithmetic unit 20 under control of a C.P.U. 32 

Thus when using the processor exemplified above, squar- as required, 

ing may be achieved in one cycle. Moreover, this general j^e 0 f the public key register 26 are also 

characteristic of F 2 «, where squaring is a linear operation, available to the communication channel 14 upon a suitable 

may be exploited in other implementations, such as req uest being received. In the simplest implementauon, each 

software, where a normal basis representation is not used. encryp ti on mo dule 16 in a common security zone will 

As noted above, the mventors have taken advantage of the e ^ ^ same ^ ^ ^ im SQ ^ lhe 

efficiency of the mathematical operations in F^ in the £ be accessiWe [f 

implementation of an elliptic curve encryption scheme. The 50 - - A u an ~u j„i fl u 

applicants have developed a method of formulating the further sophistication is required, however, each module 16 

elliptic curve calculations so as to make elliptic curve ma X own cu ™ ^d base point m which case the 

cryptography efficient, practical and viable. The preferred contents of ™> 30 have 10 be accessible to the 

method employs the use of a finite field processor such as the channel 14. 

Computational Method and Apparatus for Finite Field Mul- 55 The module 16 also contains an integer register 34 that 

tiplication as disclosed in U.S. Pat. No. 4,745,568. The receives an integer k, the session seed, from the generator 24 

method couples the attractive cryptographic characteristics for use in encryption and key exchange. The module 16 has 

of elliptic curves with the strengths of the field processor a random access memory (RAM) 36 that is used as a 

through its computational abilities in finite field F 2 «. The temporary store as required during computations, 
inventive method structures the elliptic curve calculations as 6Q Thc encryptioil of the mcsS agc M with an encryption key 

operations, such as multiplication and exponentiation, over kdp derived frQm ^ bUc k dp afld session ^ im 

the field where F 2 », which can readily be calculated on a ^ pcrformcd in afl encryption ^ 40 which imp i em ents a 

Unite Held processor. selected encryption algorithm. A simple yet effective algo- 

BRIEF DESCRIPTION OF THE DRAWINGS rithm is provided by an XOR function which XOR's the 
An embodiment of the invention will now be described by 65 message m with the 310 bits of the encryption key kdP. 

way of example only with reference to the accompanying Alternative implementations such as the DES encryption 

drawings in which: algorithm could of course be used. 
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An alternative encryption protocol treats the message m 
as pairs of coordinates m^m^, each of 155 bit lengths in the 
case of F 2 is5, and XOR's the message m^nij with the 
coordinates of the session key kdP to provide a pair of bit 
strings (nijSXo) (m 2 ey0 ). For further security a pair of field 
elements are also formed from the coordinates (xoy 0 ) of 
kdP. 

In one embodiment, the elements ZjZj are formed from 
the concatenation of part of x 0 with part of y 0 , for example, 

z i= x oillyo2 and Z2-*JY01 

where x 01 is the first half of the bit string of x 0 

is the second half of the bit string of x 0 
y 01 is the first half of the bit string of y 0 
y 02 is the second half of the bit string of y 0 
The first elements Zj and when treated as field elements 
are then multiplied with respective bit strings (m^Xo) and 
(m 2 0y o ) to provide bit strings c 7 c 2 of ciphertext c. 
i.e. c^ (m 3 ©x 0 ) 
C 2 =Z3 (m 2 ©y 0 ) 
In a preferred implementation of the encryption protocol, 
a function of x 0 is used in place of y 0 in the above 
embodiment. For example the function x 0 3 is used as the 
second 155 bit string so that 

c 2 =z 2 (m 2 ©x 0 3 ) 

and 

where x 01 3 is the first half of Xq 3 
Zo 2 3 is the second half of 

This protocol is also applicable to implementation of 
elliptic curve encryption in a field other than F2-, for 
example Z p or in general Fp«. 

Where z P is used it may be necessary to adjust the values 
of x 0 and y 0 or x 0 3 to avoid overfow in the multiplication 
with Zj and z^ Conventionally this may be done by setting 
the most significant bit x 0 and Fpy or y 0 to zero. 

Key Generation, Exchange and Encryption 

In order for the transmitter 10 to send the message M to 
the receiver 12, the receivers public key is retrieved by the 
' transmitter 10. The public key is obtained by the receiver 12 
computing the product of the secret key d and base point P 
in the arithmetic unit 20 as will be described more fully 
below. The product dP represents a point on the selected 
curve and serves as the public key. The public key dP is 
stored as two 155 bit data strings in the public key register 
26. 

Upon retrieval of the public key dP by the transmitter 10, 
it is stored in the RAM 36. It will be appreciated that even 
though the base point P is known and publicly available, the 
attributes of the elliptic curve inhibit the extraction of the 
secret key d. 

The transmitter 10 uses the arithmetic unit 20 to compute 
the product of the session seed k and the public key dP and 
stores the result, kdP, in the RAM 36 for use in the 
encryption algorithm. The result kdP is a further point on the 
selected curve, again represented by two 155 bit data strings 
or vectors, and serves as an encryption key. 

The transmitter 10 also computes the product of the 
session seed k with the base point P to provide a new point 
kP, the session public key, which is stored in the RAM 36. 
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The transmitter 10 has now the public key dP of the 
receiver 12, a session public key kP and an encryption key 
kdP and may use these to send an encrypted message. The 
transmitter 10 encrypts the message M with the encryption 
key kdP in the encryption unit 40 implementing the selected 
encryption protocols discussed above to provide an 
encrypted message C. The ciphertext C is transmitted 
together with the value kP to the encryption module 16 
associated with receiver 12. 

The receiver 12 utilises the session public key kP with its 
private key d to compute the encryption key kdP in the 
arithmetic unit 20 and then decrypt the ciphertext C in the 
encryption unit 40 to retrieve the message M. 

During this exchange, the secret key d and the session 
seed k remain secret and secure. Although P, kP and dP are 
known, the encryption key kdP cannot be computed due to 
the difficulty in obtaining either d or k. 

The efficacy of the encryption depends upon the efficient 
computation of the values kP, dP and kdP by the arithmetic 
unit 20. Each computation requires the repetitive addition of 
two points on the curve which in turn requires the compu- 
tation of squares and inverses in F 2 «. 

Operation of the Arithmetic Unit 

The operation of the arithmetic unit 20 is shown sche- 
matically in FIG. 3. The unit 20 includes a multiplier 48 
having a pair of cyclic shift registers 42, 44 and an accu- 
mulating register 46. Each of the registers 42, 44, 46 contain 
M cells 50a, 50fc . . . 50m, in this example 155, to receive 
the m elements of a normal basis representation of one of the 
coordinates of e.g. x, of P. As fully explained in U.S. Pat. No. 
4,745,568, the cells 50 of registers 42, 44 are connected to 
the corresponding cells 50 of accumulating register 46 such 
a way that a respective grouped term is generated in each 
cell of register 46. The registers 42,44,46 are also directly 
interconnected in a bit wise fashion to allow fast transfers of 
data between the registers. 

The movement of data through the registers is controlled 
by a control register 52 that can execute the instruction set 
shown in the table below: 

TABLE 1 



50 



Operation 



INSTRUCTION SET 



Size 



Clock Cycles 



55 



60 



Field Multiplication 
MULT 

Calculation of Inverse 

INVERSE 

I/O 

WRITE (A,B or C) 
READ(A,B or C) 
Elementary Register 

(idle) 
NOP 

Rotate (A,B or C) 
Copy 
(A <- B) 
(A<-C) 
(A<- B) 
(B <- C) 
SWAP (A <-> B) 
CLEAR (A.B or C) 



155 bit blocks 

24 multiplications 

5-32 bit transfers per 
10 clock cycles 
read/write to registers 

155 bit parallel 
operation 



156 

approx. 3800 
10 

2 clock cycles 
per transfer 
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TABLE 1 -continued 




INSTRUCTION SET 


Operation 


Size Clock Cycles 


SET (A3 or C) 




ADD (A • B) 




ACCUMULATE 





The unit 20 includes an adder 54 to receive data from the 
registers 42,44,46 and RAM 36. The adder 54 is an XOR 
function and its output is a data stream that may be stored io 
RAM 36 or one of the registers 42, 44. Although shown as 
a serial device, it will be appreciated that it may be imple- 
mented as a parallel device to improve computing time, 
similarly the registers 42,44,46 may be parallel loaded. Each 
of the registers 42,44,46, is a 155 bit register and is 
addressed by a 32 bit data bus to allow 32 bit data transfer 
in 2 clock cycles and the entire loading in 5 operations. 

The subroutines used in the computation will now be 
described. 

a) Multiplication 

The cyclic shift of the elements through the registers 42, 
44 m times with a corresponding shift of the accumulating 
register 46 accumulates successive group terms in respective 
accumulating cells and a complete rotation of the elements 
in the registers 42, 44, produces the elements of the product 
in the accumulating register 46. 

b) Squaring 

By operating in F 2 * and adopting a normal basis repre- 
sentation of the field elements, the multiplier 48 may also 
provide the square of a number by cyclically shifting the 
elements one cell along the registers 42. After a one cell 
shift, the elements in the register represent the square of the 
number. In general, a number may be raised to the power 2 8 
by cyclically shifting g times through a register. 

c) Inversion 

Computation of the inverse of a number can be performed 
efficiently with the multiplier 48 by implementing an algo- 
rithm which utilises multiple squaring operations. The 
inverse X" 1 is represented as X 2 ~ 2 or X 2 * 2 

If m-1 is considered as theproduct of two factors g,h then 
X" 1 may be written as X 2 ^' 1 ) or p 2 **" 1 where p-X 2 . 

The exponent 2**-l is equivalent to 



10 



(2' 



The term 2^-1 may be written as 



7=0 



so that 



x -i oy g(Z>o 



mi*) 



t l*2+2 2 4-2 3 ...2* _l 
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This term may be computed on multiplier 48 as shown in 
FIG. 4 by initially loading registers 42, with the value X 
This is shifted 1 cell to represent p (i.e. X 2 ) and the result 
loaded into both registers 42, 44. 

Register 44 is then shifted to provide p 2 and the registers 
42, 44 multiplied to provide p 2 * 1 in the accumulating 
register 46, The multiplication is obtained with one motion, 
i.e. a m bit cyclic shift, of each of the registers 42, 44, 46. 

The accumulated term p 1+2 is transferred to register 44 
and register 42, which contains p 2 is shifted one place to 
provide p 4 . The registers 42, 44 are multiplied to provide 
p 1+2+ \ 

This procedure is repeated g-2 times to obtain y . As will 
be described below, y can be exponentiated in a similar 
manner to obtain 



20 



25 



30 



35 



This term can be expressed as y^ 2 ^ . . . 2< M - i >* 
As noted above, y can be exponentiated to the 2 8 by 
shifting the normal basis representation g times in the 
register 42, or 44. 

Accordingly, the registers 42, 44 are each loaded with the 
value y and the register 42 shifted g times to provide y 2 * . The 
registers 42, 44 are multiplied to provide yy ov y 1 * 2 * in the 
accumulating register 46. This value is transferred to the 
register 44 and the register 42 shifted g times to^rovide y 2 *. 

The multiplication will then provide ^ 1+28+2 . Repetition 
of this procedure (h-l)g-l times produces the inverse of X 
in the accumulating register 46. 

From the above it will be seen that squaring, multiplying, 
and inverting can be effectively performed utilising the finite 
field multiplier 48. 

Addition of Point P to Itself (P+P) Using the 
Subroutines 

To compute the value of dP for generation of the public 
key, the arithmetic unit 20 associated with the receiver 12 
initially computes the addition of P+P. As noted in the 
introduction, for a nonsupersingular curve the new point Q 
has coordinates (X 3 ,Y 3 ) where 



45 



b 



y 3 = x{ © 



>*3 



and is denoted y 



To compute X3, the following steps may be implemented 
as shown in FIG. 5. 

The m bits representing X 1 are loaded into register 42 
from base point register 28 and shifted one cell to the right 
to provide X 2 . This value is stored in RAM 36 and the 
inverse of X 2 computed as described above. 

The value of X/ 2 is loaded into register 44 and the 
parameter b extracted from the parameter register 30 and 
loaded into register 42. The product bx x ~ 2 is computed in the 
accumulating register 46 by rotating the bit vectors and the 
resultant value XOR'd in adder 52 with value of X a 2 stored 
in RAM 36 to provide,the normal basis representation of X 3 . 
The result may be stored in RAM 36. 

A similar procedure can be followed to generate Y 3 by 
first inverting X l9 multiplying the result by Y, and XORing 
with Xj in the adder 52. This is then multiplied by X 3 stored 
in RAM 36 and the result XOR J d with the value of X3 and 
X 3 2 to produce Y 3 . 
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The resultant value of (X3, Y 3 ) represents the sum of P+P P from register 28. Likewise, because the public key dP is 

and is a new point Q on the curve. This could then be added represented as a point,(x 3 ,y 3 ), the encryption key kdP can be 

to P to produce a new point Q\ This process could be computed in similar fashion. 

repeated d-2 times to generate dP. Each of ^^0^ wiU take a similar time and can 

The addition of P+Q requires the computation of (X 3 , Y 3 ) s bc completed prior to the transmission. 



where 



The recipient 12 is similarly required to compute dkP as 
he received the ciphertext c which again will take in the 
® J^l ~ yi ® yi ® Xl ®x 2 Qa and order of 3x1 0" 2 seconds, well within the time expected for 



®X 2 J Xi&Xi 



1*1 8*2 ) 



jo a practical implementation of an encryption unit. 

, .©jc 3 )©^©y,. The public key dP, and the session key kP are each 

X{ 9X2 ' represented as a 310 bit data string and as such require a 

significantly reduced bandwidth for transmission. At the 

This would be repeated d-2 times with a new value or Q same time, the attributes of elliptic curves provides a secure 

at each iteration to compute dP. 15 encryption strategy with a practical implementation due to 

Whilst in principal this is possible with the arithmetic unit foe efficacy of the arithmetic unit 20. 
20, in practice the large numbers used make such a proce- 
dure in feasible. A more elegant approach is available using Curve Selection 
the binary representation of the integer d. a) The selection of the field F^> 

Computation of dP from 2P 20 The above example has utilised a field of 2 15S and a 

m t . -i • ™ j^ui.- non-supersingular curve. The value 155 was chosen in part 

To avoid adding dissimilar points P and Q, the binary becauge aQ ^ normal basis ^ m p Qyer p 

representation of d is used wiA a doubling method to reduce J? consideration is the security and efficiency 

the number of additions and the complexity of the additions. Qf ^ ^ ^ ^ 155 . g > £ 

The integer d can be expressed as ^ bc sccurc ™ { ^ c ^ gh fof cffidcQt opcration A ^ 

sideration of conventional attacks that might be used to 

d = Yj A J 2 '* Xi e (°» ^ ^ break the ciphertext suggests that with elliptic curves over 

'"° F^, a value of m of about 130 provides a very secure system. 

dp = Using one thousand devices in parallel, the time taken to find 

nm 1 , A}n ^ 2n , , n , n 30 one logarithm is about 1.5x10" seconds or at least 1500 

j_ 0 years using the best known method and the field P 2 i5s. Other 

techniques produce longer run times, 
b) Supersingular v. Nonsupersingular Curves 

The values of X are the binary representation of d. ^ comparison of attacks on data encrypted using elliptic 

Having computed 2P, the value obtained may be added to 35 curves suggests that non-supersingular curves are more 

itself, as described above at FIG. 5 to obtain 2 2 P, which in ro bust than supersingular curves. For a field F^, an attack 

turn can be added itself to provide 2 3 P etc. This is repeated based on the me thod suggested by Menezes, Okamoto and 

until 2'P is obtained. Vanstone in an article entitled "Reducing elliptic curve 

At each iteration, the value of 2'P is retained in RAM 36 logarithms to logarithms in finite field" published in the 

for use in subsequent additions to obtain dp. 40 Proceeding 22 Annual ACM Symposium Theory Computing 

The arithmetic unit 20 performs a further set of additions 1991> pp 80-89, (The MOV attack) shows that for small 

for dissimilar points for those terms where X is 1 to provide values of k, the attack becomes subexponential. Most 

the resultant value of the point (x 3 ,y 3 ) representing dP. supersingular curves have small values of k associated with 

If for example k-5, this can be computed as 2 2 P+P or lhem In genera i however, non-supersingular curves have 

2P+2P+P or Q+Q+P. Therefore the result can be obtained in 45 { yalucs of k and providcd k>log 2 q then the MOV attack 

3 additions; 2P=Q takes 1 addition, 2P+2P-Q+Q-R takes 1 5ecomes less efficient lhan more conventional general 

and R+P takes 1 addition. At most t doublings and t attacks 

subsequent additions are required depending on how many _ . . 

x ^ . The use of a supersingular curve is attractive since the 

doubling of a point (i.e. the case where P«Q) does not 

Performance of Arithmetic Units 20 50 require any real time inversions in the underlying field. For 

For computations in a Galois field F 2 i* it has been found a supersingular curve, the coordinates of 2P are 
that computing the inverse takes approximately 3800 clock 

cycles. _ *f efr 2 f *?eM ffi ® a 

The doubling of a point, i.e. the addition of point to itself, * 3 " a * m h ~V a r l ® x > )(Byi 9a - 

takes in the order of 4500 clock cycles and for a practical 55 

implementation of a private key, the computation of the , , _ 2 . _ , _ 

public key dP may be computed in the order of 1.5x10 s SuK.isaconsUnl.il and a is Iked for a igiven curve 

clock cycles. With a clock rate typically in the order of 40 can * P««»mputed. The values of x, and x, can be 

mHz, the computation of dP will toke in the order of 3xl0" 2 com P uted a angle and double cyclic smft respectively 

seconds. This throughput can be enhanced by bounding the « ° n the multiplier 48. However, the subsequent addition of 

seed key k with a Hanging weight of, for example, 20 and dKSlmllar P 0 ^ t0 P rav,de ** vahie of dP sUU iet *™ es ,he 

thereby limit the number of additions of dissimilar points. computation of an inverse as 

Computation of Session Public Key kP and ry\®yi \ 2 

Encryption Key kdP <s *> = »'i ®* 

The session public key kP can similarly be computed with 
the arithmetic unit 20 of transmitter 10 using the base point 
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and In the case of P=Q, then 

Xa=AB 

rf yiffi^ V ea y 3 -x 1 "A+B(x 1 2 +y 1 z I +A) 

where A=X!Z, and B=bzi 4 +x/. 
Accordingly, although supersingular curves lead to effi- 11 "® be noted that ,he computation of x, y 3 and Zj does 
cient implemenutions, there is a relatively small set of not K W™ any .inversion. However, to derive the coordi- 
supersingular curves from which to choose, particularly if nates x 3 « v 3 111 anonhomogeneous representation, it is 

the encryption is to be robust. For a supersingular curve 10 necessarv 10 nona3hze ,hc "P«sentation so that 
where m is odd, there are 3 classes of curve that can be x 3 m -x^ y-^-y-J^ 

considered further, namely 

5 * This operation requires an inversion that utilizes the 

' procedure noted above. However, only one inversion opera- 

y 2 +y=x 3 +x 15 t j on |5 required for the computation of dP. 
y 2 +y=x 3 +x+l Using homogeneous coordinates, it is still possible to 

However, a consideration of these curves for the case compute dP using the version of the double and add method 
where m-155 shows that none provide the necessary robust- described above. The computing action of P+Q , P*Q, 
ness from attack. requires 13 field multiplications, and 2P requires 7 multi- 

Eohanced security for supersingular curves can be 20 plications, 
obtained by employing quadratic extensions of the under- Alternative Ke Transfer 

lying field. In fact, in V q where q=2 310 , i.e. a quadratic ' 

extension of F 2 iss, amongst the supersingular curves, there In the example above, the coordinates of the keys kP kdP 

are four which under the MOV attack require computation are each transferred as two 155 bit field elements for F 2 i«. 

of discrete logs in F 2 «o. These curves provide the requisite 25 To reduce the bandwidth further it is possible to transmit 
high security and also exhibit a high throughput. Similarly, only one of the co-ordinates and compute the other coordi- 
in other extensions of subfields of Fi« (e.g. F 2 n) other curves nate at the receiver. An identifier, for example a single bit of 
exist that exhibit the requisite robustness. However, their use the correct value of the other coordinate, may also be 

increases the digits that define a point and hence the band- 30 transmitted. This permits the possibilities for the second 
width when they are transmitted. coordinate to be computed by the recipient and the correct 

By contrast, the number of nonsupersingular curves of one identified from the identifier, 
p 2 155 , is 2(2 155 -1). By selecting q=2 i.e. a field F 2 «, the Referring therefore to FIG. 1, the transmitter 10 initially 
value of a in the representation of the curve, y 2 +xy-x 3 + retrieves as the public key dP of the receiver 12, a bit string 

ax 2 +b, can be chosen to be either 1 or 0 without loss of 35 representing the coordinate x 0 and a single bit of the 
generality. This large choice of curves permits large numbers coordinate y 0 . 

of curves over this field to be found for which the order of The transmitter 10 has the parameters of the curve in 
a curve is divisible by a large prime factor. In general, register 30 and therefore may use the coordinate x 0 and the 
determining the order of an arbitrary nonsupersingular curve curve Parameters to obtain possible values of the other 

over ¥ q is not trivial and one approach is explained further «o coordinate y 0 from the arithmetic unit 20. 
in a paper entitled "Counting Points on Elliptic Curves" by For a curve of the form y 2 +xy«x 3 +ax 2 +b and a coordinate 
Menezes, Vanstone and Zuccherato, Mathematics of Com- x 0) then the possible values y 15 y 2 for y 0 are the roots of the 
putation 1992. quadratic y 2 +x 0 y*x 0 3 +ax 0 2 +b. 

In general however, the selection of suitable curves is well By solving for y, in the arithmetic unit 20 two possible 

known in the art, as exemplified in "Application of Finite 45 roots will be obtained and comparison with the transmitted 
Fields", chapters 7 and 8, by Menezes, Blake et al, Kluwer bit of information will indicate which of the values is the 
Academic Publishers (ISBN 0-7923-9282-5). Because of the appropriate value of y. 

large numbers of such curves that meet the requirements, the The two possible values of the second coordinate (y 0 ) 
use of nonsupersingular curves is preferred despite the differ by x 0 , i.e. yi=y 2 +Xo- 

added computations. 50 Since the two vahlcs of Vq mtT by Xq> mcn yj ^ d y ^ ^ 
An alternative approach that reduces the number of inver- always differ where a « r occurs m me representation of Xq. 
sions when using nonsupersingular curves is to employ Accordingly the additional bit transmitted is selected from 
homogeneous coordinates. A point P is defined by the one of those positions and examination of the corresponding 
coordinates (x,y,z,) and Q by the point (x^x^ bit of values of y ^ ^ indicate whicn of tne two roots is the 

The point (0, 1, 0) represents the identity O m E. 55 a pp rop ri a te value. 

To derive the addition formulas for the elliptic curve with ^ 1Q ^ can te ^ of the 

this representation, we take points MWi) and b]ic R ^ eyen Qnl 15fi Wts are retrieved 

y^zA normalize each to (xjz^ yjz u 1), (xjz v y^, 1), • L i- j • * *u 

and apply the previous addition formulas. If P-fc.y,*), Simil <" e ?™ es be realized « transmi ting the 

QKx 2 ,y/^), P,Q*0, and P-Q then P+Q-fe*,, z*) where *o session key kP to the receiver 12 as the transmitter 10s need 
ifP*Q then only forward one coordmate, x 0 and the selected identifying 

' bit of y 0 . The receiver 12 may then reconstruct the possible 

x 3 =AD values of y 0 and select the appropriate one. 

y 3 =CD+A (Bxj+Ayj) In the field it ^ nQt poss ible to solve for y using the 

Zs=A z A Z2 65 quadratic formula as 2 a-0. Accordingly, other techniques 
where A=x 2 z 1 +x 1 z 2 , B=y 2 z J +y 1 z 2 , C=A30 B and D=A 2 (A+ need to be utilised and the arithmetic unit 20 is particularly 
az 1 z 2 )+z J z 2 BC. adapted to perform this efficiently. 
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In general provided Xq is not zero, if y=x 0 z then x 0 2 z 2 + 
x 0 2 z-x 3 0 +ax 0 2 +b. 
This may be written as 



Z = xq + a + — -c. 



If m is odd then either 



Z= C+ C* 4-C" 



ao 



15 



+C 2 " to provide two possible values for 



y 0 - 



then y 0 =b ffl 



- ■ b t b 0 



2. If x 0 *0 then do the following: 
2.1 Compute the field element c=x 0 +a+bxo~ 2 in F 2 



2.2 Let the vector representation of c be c=c m 

2.3 Construct a field element z-z m _ 1 z m _ 2 . . 
setting 

zo = V 
Z 2 = Ci ffizi. 



B,-3©Cm-3. 
2.T.-J = e*-2©V2- 



20 



25 



A similar solution exists for the case where m is even that 
also utilises terms of the form c 2 *. 

This is particularly suitable for use with a normal basis 
representation in F 2 «. 

As noted above, raising a field element in F 2 » to a power 
g can be achieved by a g fold cyclic shift where the field 
element is represented as a normal basis. 

Accordingly, each value of z can be computed by shifting 
and adding and the values of y 0 obtained. The correct one of 
the values is determined by the additional bit transmitted. 

The use of a normal basis representation in F 2 « therefore 
simplifies the protocol used to recover the coordinate y 0 . 30 

If P=(Xo y 0 ) is a point on the elliptic curve E:y 2 +xy=x 3 + 
ax 2 +b defined over a field F 2 «, then y 0 is defined to be 0 if 
x 0 =0; if Xq*0 then y 0 is defined to be the least significant bit 
of the field element y 0 -XQ -1 . 

The x -coordinate x 0 of P and the bit y 0 are transmitted 35 
between the transmitter 10 and receiver 12. Then the y 
coordinate y 0 can be recovered as follows. 

1. If Xo*=0 then y 0 is obtained by cyclically shifting the 
vector representation of the field element b that is 
stored in parameter register 30 one position to the left. 40 
That is, if 



45 



by 



50 



55 



60 



2.4 Finally, compute y 0 =Xo-z. 
It will be noted that the computation of Xo" : can be readily 
computed in the arithmetic unit 20 as described above and 65 
that the computation of y 0 can be obtained from the multi- 
plier 48. 



18 



In the above examples, the identification of the appropri- 
ate value of y 0 has been obtained by transmission of a single 
bit and a comparison of the values of the roots obtained. 
However, other indicators may be used to identify the 
appropriate one of the values and the operation is not 
restricted to encryption with elliptic curves in the field 
GF(2 m ). For example, if the field is selected as Zp p-3(mod 
4) then the Legendre symbol associated with the appropriate 
value could be transmitted to designate the appropriate 
value. Alternatively, the set of elements in Zp could be 
subdivided into a pair of subsets with the property that if y 
is in one subset, then -y is in the other, provided y*0. An 
arbitrary value can then be assigned to respective subsets 
and transmitted with the coordinate x 0 to indicate in which 
subset the appropriate value of y 0 is located. Accordingly, 
the appropriate value of y 0 can be determined. Conveniently, 
it is possible to take an appropriate representation in which 
the subsets are arranged as intervals to facilitate the identi- 
fication of the appropriate value of y 0 . 

These techniques are particularly suitable for encryption 
utilizing elliptic curves but may also be used with any 
algebraic curves and have applications in other fields such as 
error correcting coding where coordinates of points on 
curves have to be transferred. 

It will be seen therefore that by utilising an elliptic curve 
lying in the finite field G¥ 2 m and utilising a normal basis 
representation, the computations necessary for encryption 
with elliptic curves may be efficiently performed. Such 
operations may be implemented in either software or hard- 
ware and the structuring of the computations makes the use 
of a finite field multiplier implemented in hardware particu- 
larly efficient. 

I claim: 

1. In a data encryption system in which the data is 
combined with an encryption key to produce ciphertext, a 
method of generating a key comprising the steps of 

a) selecting an elliptic curve of the form y 2 +xy=x 3 +ax 2 +b 
lying in the finite field GF2 m , said field being selected 
to have elements A 2 (o^i^m) that constitute a normal 
basis, 

b) representing the coordinates of a point on said curve as 
a set of vectors, each vector representing a coordinate 
of said point and having m binarv digits, each of which 
represents the coefficient of A 2 in the normal basis 
representation of said vector, 

c) computing from addition of at least two sets of vectors 
an additional set of vectors to represent the coordinates 
of further point on said curve, and 

d) utilising said additional set of vectors to derive a key 
for encrypting data. 

2. Amethod according to claim 1 wherein addition of sets 
of vectors involves at lest one squaring operation. 

3. A method according to claim 2 wherein said squaring 
operation is performed on at least one of said vectors of one 
of said sets representing a point. 

4. A method according to claim 3 wherein said squaring 
operation is performed on combinations of vectors from a 
plurality of said sets representing respective points. 

5. A method according to claim 3 wherein each of said 
vectors is represented as m binary digits and squaring 
thereof is performed by a cyclic shift of said m binary digits. 

6. A method according to claim 5 wherein said m binary 
digits are stored in respective cells of a shift register and 
squaring thereof is performed by a cyclic shift of said m bits 
in said register. 

7. Amethod according to claim 1 wherein addition of sets 
of vectors involves the computation of at least one inverse 
of a vector. 
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8. A method according to claim 7 wherein said inversion 

utilises multiple squaring operations. yx^P) 

9. A method according to claim 8 wherein squaring j=o 
operations are performed by a cyclic shift of binary digits. 

10. A method according to claim 7 wherein computation 5 ^ . & ^ cocffidcnt of ^ binafy reprcscntation of d . 
of said inverse includes an exponentiation of the square of 23. A method according to claim 22 wherein doubling of 
the vector to provide a value y of the form multiples of p is obtained by computing 



Hi 1 * 2 * 22 - 



2 



"I - xJ 

where p is the square of the vector and g is a factor of m-1. 1 

11. A method according to claim 10 wherein successive 
terms of said exponentiation are obtained by successive 
cyclic shifts of the vector. 

/ Y \ 

12. A method according to claim 11 wherein the value of y 3 = x\ & (Xi © — JXj © Xy 
the y is accumulated after each cyclic shift by multiplication 1 

of the shifted term with the previously accumulated value of 

y t where x^j are the coordinates of the point 2'~ l and x 3 y 3 are 

13. A method according to claim 10 wherein m binary ™ me ™° rdin ? u te * ° f ^ J 01 *! 2 Y- « u ■ 

. . * A . o i • , r , , L 24. A method according to claim 23 wherein computation 

digits represen ing p are stored m each of a pair of shift of ^ ^ 2 ^ a Uc &hift of ^ ^ 

registers, one of said pair of registers being cyclically shifted representing ^ in a aormal basis . 

and said pair of registers being multiplied to provide an 25. A method according to claim 24 wherein computation 

intermediate value of y. ^ of the inverse of x a 2 is computed by an exponentiation of 

14. A method according to claim 13 wherein said one of to provide a value 7 of the form 
said pair of registers is further cyclically shifted to provide £1+2*22 

a further successive term of said expansion and said further , D 2 j • c * r 1 

i*- i- j -*t. -j * * * • . , 4 where B-x, and g is a factor of m-1. 

successive term multiplied with said intermediate value to ^ £ a ^ Qrdi to daim 25 wherdn successive 

provide a further intermediate value of y. 30 {erms of said exponentiation are obtained by success ive 

15. A method according to claim 14 wherein said cyclic cyclic shifts of the binary digits representing x t 2 in a normal 
shifting and multiplication is performed g-2 times to com- basis. 

plete said exponentiation of p and provide a value of y. 27. A method according to claim 26 wherein computation 

16. A method according to claim 10 where computation of of the inverse of x^ includes a further exponentiation of y 
said inverse includes a further exponentiation of y of the °f tne f orm 

form y21+2'+2 2 ' . . . ifr-te 

i**^ 7 * 2<Hn where h is a factor of m-1 such that gh«m-l. 

Y * 28. A method according to claim 27 wherein successive 

40 terms said further exponentiation are obtained by successive 

where h is a factor of m-1 such that gh=m-l. cydic shifts of the m binary ^gte repre senting y. 

17. A method according to claim 16 wherein successive 29. A method of transferring the coordinates of a point on 
terms said further exponentiation are obtained by successive an algebraic curve defined by a function of two variables 
cyclic shifts of the m binary digits representing y. between a pair of correspondents connected by a data 

18. A method according to claim 17 wherein the value of « communications link comprising the steps of forwarding 
said inverse is accumulated after each cyclic shift by mul- from one correspondent to another a coordinate of said 
tiplication of the shifted term with the previously accumu- point, providing at said other correspondent parameters of 
lated value of y sa ^ algebraic curve, and computing at said other correspon- 

19. A method according to claim 16 wherein m binary dem said other coordinate from said one coordinate and said 

digits representing y are stored in each of a pair of shift 50 s JL r ^ c ^[^J j- . , • ™ • 1 j- .u * p 

•* r j r • ♦^K-;«r,«,^iiV.,n,r e K;f#*.H 30. A method according to claim 29 including the step of 

registers, one of said pair of registers being cyclically shitted _r t -a • • r r 

and said pair of registers being multiplied together to Wlth ™* ° ne c ? 1 ^ mformabon 

provide an intermediate value of laid inverse. of sald ° th " coordmaU and utitomgsajd identifying infor- 

r mation and a discnmmatmg function to determine the appro - 

20. A method according to claim 19 wherein said one of 55 date v ^ Qf said Qlher GOOc6inMt 

said pair of registers is further cyclically shifted to provide 31 A mcthod according to claim 30 wher ein said identi- 

a further successive term of said expansion which is then - . information is a digital bit of said other coordinate that 

multiplied with said intermediate value of said inverse to idcnlifies thc approp riate value of said other coordinate, 

provide a further intermediate value thereof. 32 A method according to claim 30 wherein said alge- 

21. A method according to claim 20 wherein said cyclic 60 bra j c ^ m elliptic curve of the form y 2 +xy=x 3 +ax 2 +b 
shifting and multiplication is performed (h-l)g-l times to and sa j d omer coordinate is determined by solving a qua- 
complete exponentiation of y, dratic equation to provide two possible values of said other 

22. A method according to claim 11 wherein said further coordinate, said identifying information indicating the 
point on said curve is an integer multiple d of said point P appropriate one of said values. 

and said value dP is computed by successively doubling 65 33. A method according to claim 32 wherein said identi- 

multiples of P to provide terms 2*P from t=o to t=m, and fying information is a digital bit of said other coordinate that 

computing identifies the appropriate value of said other coordinate. 
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34. A method according to claim 30 wherein said alge- from one of said coordinates and a function thereof to 
braic curve is defined over the field Zp and said identifying produce said ciphertext. 

information indicates the Legendre symbol of the appropri- 45 a method according to claim 43 wherein said enci- 

ate value. phering bit string is derived from said coordinate x and the 

35. A method according to claim 30 wherein said curve is 5 cu ^ e x 3 mereo f t 

defined over the field zp and the elements thereof subdivided . * , , . A - , - c , 
into a pair of subsets%ne of which contains one possible 46 ' «°riing/o f™* f whe rem field de- 
value and the other of which contains the other possible mt ^T 1 ^ ^ ° f ^ ™ ordlDate f 
value, said indicating information identifying the subset modlfv ^ combination of said message bit strings and said 
containing the appropriate value, enciphering bit string. 

36. A method according to claim 29 wherein said alge- 47. A method according to claim 46 wherein said cipher- 
braic curve is an elliptic curve of the form y 2 +xy-x 3 +ax+b text c is of the form (cjcj where 

defined over a finite field F 2 m . c,«z 1 (m 1 ©f 1 (x 0 )) and 

37. A method according to claim 36 including the step of iy 1 
forwarding with said one coordinate identifying information c 2 +z 2( m i© £ 2l x o)J» 

of said other coordinate and utilising said identifying infor- 15 f^Xo^M are respective first and second values derived 

mation and a discriminating function to determine the appro- from the coordinate x and z 1 and Zj are respective field 

priate value of said other coordinate. elements derived from the coordinate x. 

38. A method according ( to claim 37 wherein said field 48. A method according to claim 47 wherein f 2 (x) is said 
GF2 m has field elements A 2 ' that constitute a normal basis. second coordinate y. 

39. A method according to claim 38 wherein said other 20 49, a method according to claim 47 wherein f^x) is the 
coordinate is determined by solving a quadratic equation to cu t, e 0 f m e value of the coordinate x. 

provide two possible values of said other coordinate, said 50 a method according to claim 47 wherein said field 

identifying information indicating the appropriate one of elements z are formed by concatenating part of each of said 

said values. values f (x) f (x) 

40. A method according to claim 38 wherein said qua- 25 51 ^ m ^ according to claim so whe rein f 2 (x) is 
dratic equation is solved by summing terms of the form c deriycd from ^ cube of me yalue of ^ x 
from g=0 to g-m-1 where 52 A method according to claim 47 wherein 

Xf 30 

and 

and Xq is said one coordinate. 3 

41 . A method according to claim 40 wherein terms of the c 2 =z^m 2 0 
form c are obtained by g fold cyclic shifts of the normal basis 
representation of c. 

42. A method of encrypting a message m using a public 

key cryptographic system and having a private key formed Zi=XoJl x 2 

from a bit string representative of a coordinate (x, y) of a 

point p on an elliptic curve, said method comprising the ^ 

steps of representing said message m as a pair of message bit 40 

strings m 1 m 2 of length corresponding to the bit strings z 2 - x 2K 

representing the coordinates x,y, and combining said mes- „ * . , r ._ ^ L tcr, L 

sage bit strings with an enciphering bit string derived from w h ere *Jk " the counterclaim of the first half of the 

at least one of said coordinates to generate a ciphertext c of representation of the coordinate x and the second ha V of the 

said message 45 cancellation or " me representation of x and xjpcj is the 

43. A method according to claim 42 wherein said enci- concatenation of the second half of the representation of the 
phering bit strings are derived from each of said coordinates coordinate x with the first half of the representation of the 
to produce ciphertext c. ^ * 

44. A method according to claim 42 wherein said message 

bit strings are combined with enciphering bit strings derived ***** 



35 and 
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